Avoid Becoming a Crypto-Mining Bot: Where to Look for Mining Malware and How to Respond

At a white elephant party in northern Colorado in December, a friend of mine was telling me that he’d borrowed against his children’s college funds to put money into three different cryptocurrencies.

“I didn’t realize you followed the community,” I said.

“Oh, I don’t. A friend of mine has been badgering me to get invested.” He said. He’d bought in below the $5K mark. I’m sure my friend felt like a genius when it nearly hit $20K.

There’s a lot of speculation in cryptocurrency right now. People are mining coins all over the place, and even though it’s getting harder and harder to make money mining coins, interest is still high. All it costs is money for the power bill.

So, of course, clever people are figuring out how to use other people’s power to mine cryptocurrency, to the tune of millions of dollars. You could do it just by plugging in a 1900 watt, whisper quiet, terahash ASIC miner at your desk at work. 1900 watts would be generated by 30 old-style light bulbs. Would anyone notice that in an office building?

Others scale the mining operation bigger and reduce their chance of getting caught by mining coins in malware botnets. There have been recent assertions that ransomware is yesterday’s news, because bot herders have found that mining is more profitable and less likely to be detected.

But cryptomining can be detected.

Why is This Important? What’s the Deal?

It’s sort of funny; there’s a feeling that cryptomining malware isn’t malicious, and therefore it must be really hard to find. But look closer. The assets being attacked in the cryptomining threat are:

● System integrity

● Compute

● Power

Yes, that’s less harmful than ransomware or APT, but in the end, it’s still just malware, and you use the same methods to find cryptomining malware as you do anything else. But let’s concentrate on three that are specific to this situation.

How to spot mining malware

Method #1 – Monitor the Network

Miners typically use mining pool platforms. Stratum, for example, likes ports 3333, 1333, 8333, etc. Decent “established-only” SNAT firewalls should block incoming mining requests. For outbound stratum connections, you should be getting alerts on network anomalies like these using the same tools you’d use for outbound inspection of any other type of malware. Note that many of these connections will be encrypted and may require SSL inspection where possible.

Peer-to-peer (P2P) mining pools may use DNS to locate other hosts. If you’re lucky enough to have a threat feed that includes common pool servers as Indicators-of-Compromise (IOCs), great. But if you don’t, use one of the ones listed below or find the malware another way. When you find it, check its config for “pool_address” and then watch for other machines on your network connecting to it. That will lead you to more infections.

Prevent employees running their own hardware cryptominers at their desks. The most powerful policy you can adopt is the one used by the most secure networks today; don’t let unknown MAC addresses on your network. Yes, this is harder than just looking the other way, but for god’s sake people, it’s 2018 we need to get our heads out of the sand. If that’s too much of a challenge for now (and I get it, not everyone has a fully-staffed security team), an addendum to the company policy is appropriate, as is an email as a start.

Method #2 – Monitor the Servers

Recall from our threat list that power is the third asset under attack in the threat surface. You’re already monitoring your servers. Make sure you’re monitoring their CPU usage and temperature. Many data centers monitor fan speed, a jump of which is another indicator of compromise.

If any machine goes to 100% in the middle of the night and stays there, well that’s suspicious and should be checked out. Even if a malicious miner is not consuming 100% of the CPU, the load itself will likely stay constant versus sawing around, so monitor for that.

Mature tools can tell you if new files have been installed on servers; maybe it’s time to revisit TripWire if you haven’t lately.

Method #3 – Protect Users via Block Lists

Drive-by cryptomining is JavaScript that affects browsers. Imagine a user visiting a site that hosts malicious JavaScript. The script mines coins while the user is on the site. The user’s system integrity isn’t affected, but her CPU is, and so is her power consumption. MalwareBytes wrote about variants that keep the mining going even after the user has closed the browser, which is really rude.

Fixing this problem is harder for administrators; most don’t monitor network, CPU usage, or fan speed for their users, especially for remote users.

In these cases, try to block access to sites that host mining JavaScript. If your thread feed doesn’t have a list of those IoCs there are at least a couple of open-source ones maintained by

There’s a cute little tool, Dr. Mine, that you can install in your browser that utilizes those threat feeds to do the same. Note, I haven’t tried it, but I acknowledge that it exists.

Conclusion – Get Back to the Basics

Take a step back and realize that cryptocurrency mining is really just another form of malware, which is something you should be good at finding already. Look at graphs, just like you always do, for DDoS, or malware, or anything else. Find the anomalies and track them down. It’s the same with cryptomining.

David Holmes, CISSP, is a security researcher and a low-rent technical evangelist. He has a background in cryptography, application security, architecture, and development. He has spoken at more than 50 conferences, including RSA, InfoSec Europe, the Australian CyberSecurity Conference, and Gartner Data Center. He researches and writes regularly about cryptography, the Internet of Things, malware, policy, vulnerabilities, technical solutions, and the security industry in general as an expert contributor at SecurityWeek. Holmes studied Computer Science and Engineering Physics at the University of Colorado at Boulder and has awards from Toastmasters International. On Twitter he is @capmblade.